This chapter discusses the many ways that packet filtering can be used as a means to secure the perimeter of your network. It also weighs the positive and negative points of using a packet filter as the means to control traffic flow based on address and port, and the weaknesses of the packet-filtering technology.

This chapter is from the book

This chapter is from the book

Packet filtering is one of the oldest and most widely available means to control
access to networks. The concept is simple: Determine whether a packet is allowed
to enter or exit the network by comparing some basic identifying pieces of
information located in the packet's header. Packet-filtering technology
can be found in operating systems, software and hardware firewalls, and as
a security feature of most routers.

The goal of this chapter is to explore the highlights and weaknesses of packet-filtering
technology and how to implement this technology successfully. We discuss the
basics of TCP/IP and how it applies to packet filtering, along with the rules
of how to implement packet filters using Cisco router access lists. We explore
uses for rules that filter on source address, such as the allowance and prohibition
of traffic from given hosts and ingress and egress filters. We also cover filters
that examine destination addresses and make decisions based on port numbers
and their uses for improved control of traffic flow. We examine the problems
of the packet filter, including its weaknesses to spoofing, fragmentation,
control of return traffic, and the problems with poking an always-open hole
in your defense. Finally, we explore the power of dynamic packet filters and
the ways they can help correct many of the downfalls of static packet filtering.

TCP/IP Primer: How Packet Filtering Works

Before we go into the details of packet filtering, it is necessary to
understand the construct and technologies behind the TCP/IP protocol and its
associated packets.

NOTE

The next several sections provide a basic overview of the TCP/IP protocol.
Advanced readers might find this review unnecessary and might prefer to skip
ahead to the section "The Cisco Router as a Packet Filter."

When systems on a network communicate, they need to speak the same language,
or protocol. One such protocol suite is TCP/IP, the primary
communications language of the Internet. To facilitate such communications, the
information you send needs to be broken down into manageable pieces called
packets. Packet headers are small segments of information that are
stuck at the beginning of a packet to identify it.

The IP portion of TCP/IP stands for Internet Protocol. It is
responsible for identifying the packets (by their IP address) and for guiding
them to their destination. IP packets are directed, or routed, by the
values located in their packet headers. These identifiers hold information about
where the packets came from (source address), where they are going (destination
address), as well as other information describing the type of service the packet
might support, among other things.

IP Version 6

The version of IP protocol that is most commonly used on the Internet today
and that we are referring to in this chapter is IP version 4 (IPv4). It was
created in the 1980s and has many limitations that have required expansions to
keep it valid into the twenty-first century. Those limitations include a
restricted address space, no integrated security, no integrated means to
automatically assign addresses, and the list goes on. Although technologies were
created as "band-aids" to help overcome these issues (NAT, IPSec, and
DHCP), it wasn't long before development began on a replacement version. In
the 90s, IP version 6 (IPv6) was born. It has a much larger potential address
space made up of eight 16-bit values, instead of IPv4's four 8-bit values.
IPv4 addresses are most commonly notated as decimals in the format 192.168.1.1,
where the decimal numbers are some value between 0 and 255 (2^8). IPv6 addresses
are notated as hexadecimal in the format
1234:ABCD:1A2B:4321:CDEF:C5D6:789D:F12A, where the hexadecimal numbers are some
value between 0 and FFFF (or 0 and 65535 decimal, 2^16). Hexadecimal is used to
keep the already long IPv6 addresses notation more concise and readable. One
shorthand method of IPv6 notating involves abbreviating lists of zeroes with
double colons (::). For example, the IPv6 address
1234:5678:0000:0000:0000:0000:0000:1AF4 can instead be listed as
1234:5678::1AF4. The double colons indicate that all digits between those listed
are zeroes. Other improvements that IPv6 offers are integrated authentication
and encryption methods, automatic address assignment capabilities, improved
Quality of Service (QoS) methods, and an improved header format that moves
anything but essential routing information to extension headers, allowing for
quicker processing. Despite all its advantages, IPv6 is still not heavily
implemented. As a network administrator it is important that you are aware of
IPv6 and its possible advantages for your environment, even though you may not
be required to use it for years to come. For more information on the IPv6
standard, refer to RFC 2460.

When an IP packet arrives at a router, the router checks its destination to
see whether it knows how to get to the place where the packet wants to go. If it
does, it passes the packet to the appropriate network segment. The fact that a
router passes any packet whose destination it is aware of is called implicit
permit. Unless further security measures are added, all traffic is allowed
in as well as out. For this reason, a method is required to control the
information entering and exiting the interfaces of the router.